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Page(s) = 466 


7 *ib6 = --3797 BIC’ = —3/57 ‘BIE. >. =27. 

8 ~ -b6 - -3,5; b7C = -3,5; b7E = =23 

G ~ b6 - -3,5; b7C - -3,5; b7E - -2; 

10 ~ b6 - -3,5; b7C - -3,5; b7E - -2; 
11 ~ b6 -3,5; b7C - -3,5; b7E - -2; 
12 ~ b6 -3,5; b7C - -3,5; b7E - -2; 
13 ~ b6 - -3,5; b7C - -3,5; b7E - -2; 
14 ~ b6 - -3; b7C - -3; DIE - -2; 

15 ~ b6 

16 ~ b6 ; ; 

17 ~ b6 -1,3; b7C - -1,3; 

18 ~ b3 -1; b6 - -1,5; b7C - -1.5; 

20 ~ b3 -1; b6 - -3; b7C - -3; 

21 ~ b3 =; b6*="=37, bIC —=33 

22 ~ b3 -1; b6 - -3; b7C - -3; 

23 ~ b3 -1; b6 - -3; b7C - -3; 

30 ~ b6 -3,5; b7IC - -3,5; b7E - -2; 
31 b6 -3,5; bIC - -3,5; bIE - -2; 
32 ~ b6 -3,5; b7C - -3,5; b7E - -2; 
33 ~ b6é -3,5; b7C - -3,5; b7E - -2; 
34 ~ b6 -3,5; b7C - -3,5; b7E - -2; 
35 ~ b6 -3,5; bIC - -3,5; b7E - -2; 
36 ~ b6 -3,5; b7C - -3,5; b7E - -2; 
37 ~ b6 -3,5; b7C - -3,5; b7E - -2; 
38 ~ b6é -3,5; b7C - -3,5; b7E - -2; 
39 ~ b6 : bIE - -2; 

40 ~ b3 -1; b6 - -3; b7C - -3; 

41 ~ b3 -1; b6 - -3; b7C - -3; 

42 ~ b6 SSRADTC 33.5 

43 ~ b6 73; b7C - -3; 

44 ~ b6 S137. DIC -ly3s 

45 ~ b6 -3; b7c - -3; 

47 ~ b6 -3; b7Cc - -3; 

48 ~ b3 -1; b6 - -3; b7C - -3; 

49 ~ b6 - -3,5; b7C - -3,5; b7E - -2; 
50 ~ b6 - -3,5; b7C - -3,5; b7E - -2; 
51 ~ b6 -3,5; b7C -— -3,5; b7E - —-2; 
52 ~ b6 -37 ‘bIC.— —3;. :b7E. = -23 

53: ib6. =. 437 (bIC = -<3;7 

54 ~ b6 - -3; b7C - -3; 

55.-b6)= $37 (b7C: = =33 

56 ~ b6 S37 Ub7C S-=39, 

58 ~ b6 337. BIC S=3 7 sbYE = =2% 

59 ~ b6 - -3,5; b7C - -3,5; b7E - -2; 
60 ~ b6 - -3,5; b7C - -3,5; b7E - -2; 
61 ~ b6 73,57 bIC — -3,5; b7IE - -2; 
62 ~ b6 “1,37 b7C = -1,37 

63 ~ b6 - -3; b7C - -3; 
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64 ~ b6 - -1,3; b7C - -1,3; 
65 b6 “1,37 (bIC. = -1,37 

66 b6 -1,3; b7c - -1,3; 

67 b6 =37 (b/G = =33 

68 b6 =37 DIC: =-=37 

69 ~ b6 - -1,3; b7C - -1,3; 

71 bé6 -3; b7c - bIE - -2; 

72 b6 -3,5; b7C - -3,5; b7E - -2; 
73 ~ b6 - -3,5; bIC - -3,5; b7E - -2; 
74 ~ b6 - -3,5; bIC - -3,5; b7E - -2; 
75 b6 -3,5; b7C - -3,5; b7E - -2; 
76 b6 -3,5; b7C - -3,5; b7E - -2; 
77 ~ b6 - -3,5; b7IC - -3,5; b7E - -2; 
78 ~ b6 - -3,5; bIC - -3,5; b7E - -2; 
79 ~ b6 - -3,5; bIC - -3,5; b7E - -2; 
80 b6 -3,5; b7C - -3,5; b7TE - -2; 
81 b6 -3,5; b7C - -3,5; b7E - -2; 
82 b6 -3,5; b7C - -3,5; b7E - -2; 
83 b6 -3; bIC - -3; DIE - -2; 

84 b6 -1,3; b7C - -1,3; 

85 b3 -2; b6 - -1,3; b7C - -1,3; DIE - -3; 
86 bé -3; bIC - -3; 

88 b6 -3,5; bIC - -3,5; b7E - -2; 
89 b6 -3,5; bIC - -3,5; bIE - -2; 
90 b6 -3,5; b7C - -3,5; b7E - -2; 
91 bé -3; b7C - -3; b7E - - 

92 b6 -3; b7C - -3; 

93 b6 -3; b7C - -3; 

94 b6é -3; b7C - -3; 

95 b6 -1,3; b7C - -1,3; 

96 b6 -3; b7C - -3; 

97 b3 -2; b6é - -1,3; b7C - -1,3; b7E - -3; 
98 b6 7-3; b7C - -3; 

100 ~ b6 - -3,5; b7C - -3,5; b7E - -2; 
101 b6 -3,5; b7C - -3,5; b7E - -2; 
102 b6 73,5; b7C - -3,5; b7E - -2; 
103 b6 73,5; b7C - -3,5; b7E - -2; 
104 b6 -3,5; b7C - -3,5; b7E - -2; 
105 b6 -3,5; b7C - -3,5; b7E - -2; 
106 b6 -3,5; b7C - -3,5; b7E - -2; 
107 ~ b6 - -3,5; b7C - -3,5; b7E - -2; 
108 b6 -3,5; bI7C - -3,5; b7E - -2; 
109 b6 =3,57 b7C — -3,53 bIE = =23 
110 b6 —3,57 b7C — -3,5; bIE - —-2; 
111; b6 -3; bIC - -3; DIE - -2; 

112 b6 -3; bIC - -3; 

113 b6 -3; bIC - -3; 

115 Duplicate; 

117 b6*="=37. -bIC = —33 

118 b6 -3,5; b7C - -3,5; DIE - -2; 
119 b6 -3,5; b7C - -3,5; DIE - -2; 
120 b6 -3,5; b7C - -3,5; bIE - -2; 
121 b6 -3; b7C - -3; b7E - -2; 

122 b6 73,57 DIC = -3,.57 DIE — +27 
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-3,5; b7C 
-3,5; b7C 


-3; 
-3; 


b7C - 
b7Cc - 


-3,5; b7Cc 
-3,5; b7C 
-3,5; b7C 


-3; 
-3; 
-3; 
-3; 


b7C - 
b7c - 
b7c - 
b7C - 


-1,3; b7Cc 


737 


b7c - 


b6 - -1,3; b7c 
Duplicate; 
Duplicate; 
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b6 - 
bo: = 
b6 - 
b6 - 
b6 - 


-3; 


b7c - 
b7C - 
b7c - 
b7c - 
b7¢ - 


Duplicate; 
Duplicate; 
Duplicate; 


bo - 


-3; 


b7C - 
b7C - 
b7¢ - 
b7C - 
b7C - 
b7C - 
b7c - 
b7c — 


Duplicate; 
Duplicate; 
Duplicate; 
Duplicate; 
Duplicate; 


- -3 
- -3 
-3; 
-3; 
- -3 


FE 
13F 
bIE 
bIE 
pe 


b7E 
b7E 
b7E 


; DIE 
+ b7E 


b7E - -2; 
b7E - -2; 
- -2; 
- -2; 
b7E - -2; 
b7E - -2; 
bIE - -2; 
Ssey 
aes 
- -2; 
= -2; 
- -2; 
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Ss A2t 

b7E - -2; 
b7E - -2; 
b7E - -2; 
b7E - -2; 
bIE - -2; 
bIE - -2; 
b7E - -2; 
b7E - -2; 
b7E - -2; 
bIE - -2; 
bIE - -2; 
b7E - -2; 
b7E - -2; 
bIE - -2; 
= Ze 


Duplicate; 

Duplicate; 

Duplicate; 

Duplicate; 

Duplicate; 

Duplicate; 

Duplicate; 

Duplicate; 

Duplicate; 

Duplicate; 

Duplicate; 

Duplicate; 

Duplicate; 

bo: = =37--b/G' = =37 

b6 =3\ BIC =: a3 

b6 -3; bIC - -3; 

b6 -3; bIC - -3; 

b6 -3; b7C - -3; 

b6 -3; b7C - -3; 

b6 -3; bIC - -3; 

b6 -3; b7IC - -3; 

b6 -3; bIC - -3; 

b6 -3; bIC - -3; 

b6 -3; b7C - -3; DIE 
b6 -3,5; b7C - -3,S; 
b6 -3,5; b7C - -3,S; 
b6 -3,5; b7C - -3,5; 
b6 73,5; bIC - -3,5; 
b6 -3,5; b7C - -3,5; 
b6 -3,5; b7C - -3,5; 
b6 -3,5; b7C - -3,5; 
b6 -3,5; b7C - -3,5; 
b6 -3; bIC - -3; 

b3 -2; b6 - -1,3; b7C - -1,3; 
b6 -3; b7C - -3; 

b6 -3; bIC - -3; 

b6 -3; bIC - -3; 

b6 -3; b7C - -3; b7E 
b6 -3,5; b7C - -3,5; 
b6 -3,5; b7C - -3,5; 
b6 - -3,5; bIC - -3,5; 
b6 - -3,5; bIC - -3,5; 
b6 =3,57 bI7C — -3,53 
b6 =3,57 b7C — -3,5;7 
b6 - -3,5; bIC - -3,5; 
b6 =3,57 BIC. =. -3,57 
b6 - -3,5; bIC - -3,5; 
b6 —-3,5; b7C — -3,537 
b6 3,57 bI7C — -3,5; 
b6 - -3,5; bIC - -3,5; 
b6 -3,5; b7C - -3,57 
b6 $3,537 :(bICo 4-37 55. 
b6 $37 BIC =-=37 b7E 
b6 -37 DIC = --33 


Page .233.~ b6 - -3; bIC = -3; 
Page 234 ~ b6 - -3; b7C - -3; 
Page 235 ~ b6é - -3; b7C - -3; 


Page 236 ~ b6 - -3; b7C - -3; 
Page 237 ~ b6 - -3; b7C - -3; 
Page 239 ~ b6 - -3,5; b7IC - -3,5; b7E - -2; 


Page 240 ~ b6 - -3,5; b7C - -3,5; b7E - -2; 

Page 241 ~ b6 - -3,5; b7C - -3,5; bIE - -2; 

Page 242 ~ b6 - -3,5; b7C - -3,5; b7E - -2; 

Page 243 ~ b6 - -3,5; b7C - -3,5; b7E - -2; 

Page 244 ~ b6 - -3,5; b7C - -3,5; b7E - -2; 

Page 245 ~ b6 - -3; b7C - -3; 

Page 246 ~ b6 - -3; bIC - -3; 

Page 247 ~ b6 - -3; b7C - -3; 

Page 248 ~ b6 - -3; bIC - -3; 

Page 250 ~ b6 - -1,3; b7C - -1,3; 

Page 251 ~ b3 - -1; b4 - -1; b6 - -3,5; b7C - -3,5; b7ID - -1; 
Page 252 ~ b6 - -3,5; b7C - -3,5; b7E - -2; 

Page 253 ~ b6 - -3,5; b7C - -3,5; b7E - -2; 

Page 254 ~ b6 - -3,5; b7C - -3,5; b7E - -2; 

Page 255 ~ b6 - -3,5; b7C - -3,5; b7E - -2; 

Page 256 ~ b6 - -3,5; b7C - -3,5; b7E - -2; 

Page 257 ~ b6 - -3,5; b7C - -3,5; b7E - -2; 

Page 258 ~ b6 - -3,5; b7C - -3,5; b7E - -2; 

Page 259 ~ b6 - -3,5; b7C - -3,5; b7E - -2; 

Page 260 ~ b6 - -3; b7C - -3; b7E - -2; 

Page 261 ~ b6 - -3; b7C - -3; 

Page 262 ~ b6 - -3; b7C - -3; 

Page 264 ~ Duplicate; 

Page 266 ~ b6 - -3,5; b7C - -3,5; b7E - -2; 

Page 267 ~ b6 - -3,5; b7C - -3,5; b7E - -2; 

Page 268 ~ b6 - -3,5; b7C - -3,5; b7E - -2; 

Page 269 ~ b6 - -3,5; b7C - -3,5; b7E - -2; 

Page 270 ~ b6 - -3,5; b7C - -3,5; b7E - -2; 

Page 271 ~ b6 - -3,5; b7C - -3,5; b7E - -2; 

Page 272 ~ b6 - -3; b7C - -3; DIE - -2; 

Page 273 ~ b3 - -1; b6 - -3; b7C - -3; 

Page 274 ~ b3 - BP BIG: = =3; 

Page 275 ~ b6 - 
Page 276 ~ b6 - 
Page 277 ~ b6é - 
Page 278 ~ b6é - 
Page 280 ~ b6 - 
Page 281 ~ b6 - 


Page 282 ~ b6 - -3,5; b7E - -2; 
Page 283 ~ b6 - -3,5; b7E - -2; 
Page 284 ~ b6 - -3,5; b7E - -2; 


Page 285 ~ b6é - 
Page 286 ~ b6 - 
Page 287 ~ b6é - 
Page 288 ~ b6é - -3,57 

Page.289. ~ b3) - -27) b6.--1,3,;57 ‘b7C = -1,3,5;. ‘b7E - .-33 
Page 290 ~ b6 - -3; b7C - -3; 

Page 292. ="b3: 2-17 b4 = S17 b6 “Se =3 7 DIGS =3 7 b7Di-o “1s 
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S37) DIC S337 (DIE: = 25 
SSSR OIC, = °=3,:5 7 TE. =2 7 
-3,5; b7C - -3,5; bIE - -2; 
-3,5; b7C - -3,5; b7E - -2; 
-3,5; b7C - -3,5; b7E - -2; 
-3,5; b7C - -3,5; b7E - -2; 
-3,5; b7C - -3,5; bIE - -2; 
-3,5; b7C - -3,5; bIE - -2; 
-3,5; b7C - -3,5; b7E - -2; 
-3,5; b7C - -3,5; b7E - -2; 
-3,5; b7C - -3,5; bIE - -2; 
-3; b7C - -3; 

-3; b7C - -3; 

S37 DIG. >" 235 

3s DIGS 333 

=3; bIC —.-33 

-3; bIC - -3; 

=32 “(bIC. = -=33 

-3; bIC - -3; 

-3; bIC - -3; 

-3; bIC - -3; 

-3; bIC - -3; 

-3; bIC - -3; 

-3; bIC - -3; 

-3; bIC - -3; 

-3; bIC - -3; 

=37 DIC. .- -=37 

34 (DIC: =-S3¢ 

-3; bIC - -3; 

-3; bIC - -3; 

-3; bIC - -3; 

71,3; b7c - -1,3; 

-3; bIC - -3; 

-3; b7C - -3; 

-3; bIC - -3; 

-3; b7C - -3; DIE - -2; 
-3,5; bIC - -3,5; b7E - -2; 
-3,5; b7C - -3,5; b7E - -2; 
-3,5; b7C - -3,5; b7E - -2; 
-3,5; b7C - -3,5; b7E - -2; 
-3,5; b7C - -3,5; b7E - -2; 
-3,5; b7C - -3,5; b7E - -2; 
-3; b7C - -3; b7E - -2; 

S27: b6= =1,37) bIC = =1;33 
-3; bIC - -3; 

=37 bIC = =33 

o3¢ BIC = 437 DIE = =23 
—-3,5; b7C —--3,5; b7IE = -2; 
3,57 bIC — -3,5; b7E -— -2; 
-3,5; b7C - -3,5; DIE - -2; 
-3,5; b7C - -3,5; bIE - -2; 
$3,537 ‘bICs+--3,.57 DIE! = -23 
—3% bIC = =-37 .b7B — —27 

=37 DIC s-=33 DIE sy -25 


Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 
Page 


349 
350 
351 
353 
354 
355 
356 
357 
358 
359 
360 
361 
362 
363 
364 
365 
366 
367 
368 
369 
370 
371 
372 
373 
374 
375 
376 
377 
378 
379 
380 
381 
382 
383 
384 
385 
387 
389 
390 
391 
392 
393 
394 
395 
396 
397 
398 
399 
400 
404 
405 
406 
408 
409 


b6 - -3,5; bIC - -3,5; b7E - -2; 
be = 63, 5F bie > =<357. BIE: Sy H25: 
be = .-3,'5 >. bIC = --3, 57 DIE = =27 
be: = =35"b7C- = S39" b7E, S25 

be = -3) DIC = =33 DIE =. =2; 

b6 - -3,5; bIC - -3,5; b7E - -2; 
bG, =-—3,5 7 bIC8=--3; S37 DIE. 2% 
b6é - -3,5; b7IC - -3,5; bT7E - -2; 
b6 - -1,3; b7C - -1,3; 

b3 - -2; b6 - -1,3; b7C - -1,3; 
b6 - -3; bIC - -3; 

Duplicate; 

Duplicate; 

Duplicate; 

Duplicate; 

Duplicate; 

Duplicate; 

Duplicate; 

Duplicate; 

Duplicate; 

Duplicate; 

Duplicate; 

Duplicate; 

Duplicate; 

Duplicate; 

Duplicate; 

Duplicate; 

Duplicate; 

Duplicate; 

b6 - -3; b7IC - -3; 

b6 - -3; b7IC - -3; 

b6 - -3; bIC - -3; 

b6 - -3; bIC - -3; 

b6 - -3; bIC - -3; 

b6 - -3; b7IC - -3; 

b6 - -3; bIC - -3; 

Duplicate; 

b6 - -3; b7C - -3; b7E - -2; 

b6 - -3,5; b7C - -3,5; b7E - -2; 
b6é - -3,5; b7C -— -3,5; b7E - —2; 
b6 - -3,5; bIC - -3,5; b7E - -2; 
b6 - -3,5; bIC - -3,5; b7E - -2; 
b6 - —3,57 b7C — =3,53. BIE — =2? 
b6 - -3; b7C - -3; b7IE - -2; 

b6 - -3; b7C - -3; 

b6 - -3; b7C - -3; 

b6 - -3; DIC - =3; 
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Complaint Form 
Title: (U) Unauthorized Computer Intrusion Date: 07/31/2013 
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ETRADE FINANCIAL - VICTIM: 


ALPHARETTA, GA; 


INTRUSION 
Complaint Synopsis: (U) E-Trade reported an unauthorized computer 
intrusion in the account of Adrian Lamo. 
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Enclosure(s): Enclosed are the following items: 
1. (U) Notes of complaint from E-Trade 
2 (U) Notes of Interview | a 7 


Received On: 07/30/2013 


Receipt Method: Telephone 
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Incident Type: Criminal Activity 


Complaint Details: 


On July 30, 2013, representatives from E-Trade contacted sald be -1,2 
to report an unauthorized intrusion into the account of Adrian Lamo, Rien iie 
DOB 02/20/1981. re | (E-Trade, Corporate Security, 

Investigations Department), kE-Trade, Corporate Security, 
Forensics), (E-Trade, Corporate Security, Fraud Operations), 


ants Trrade, Corporate Security) contacted saL___to 


report the unauthorized activity. 
and[_] phone number is 


According to the above individuals, Adrian Lamo is an account holder at 
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Title: (U) Unauthorized Computer Intrusion 


E-Trade. During the week of July 22, an E-Trade account representative 
noticed suspicious activity on Lamo's account. The representative had 
accessed Lamo's account to determine if a $2,000 check made payable to 
Amazon and drawn off of Lamo's E-Trade account would clear. The 
account representative told the Amazon representative that the check 
would clear. At the same time, the representative noticed that Lamo's 
account balance had gone from several thousand dollars to over $11 
million in just several days. The account representative flagged Lamo's 
account and reported it to corporate security. 


E-Trade corporate security initiated an investigation and determined 
that someone had manipulated their computer system numerous times so 
that Lamo's E-Trade account had over $11 million in it. E-Trade 
immediately froze Lamo's account and prevented significant losses. 
E-Trade's loss is under $3,000. 


bIE -1 


After E-Trade froze the accounts someone, 
presumably Lamo, called E-Trade and asked why he could not access his 
account. E-Trade dtecnina See call E-Trade. 
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Title: U) Unauthorized Computer Intrusion 
Re: 7/31/2013 


The person left a telephone number[ sd which E-Trade Hed ee 
cH 


E-Trade told the subject that the investigator handling the case had 


b3 -2 
b7f -3 


left for the weekend and to call back on Monday, July 29. No one has 
called back about Lamo's account since July 26. 


The subject also set up over 30 external transfers from Lamo's E-Trade 
account. E-Trade account holders can set up external transfers from 
their accounts. To do so, an account holder enters information about 
an account he would like to transfer money to. For example, an E-Trade 
account holder could set up transfer to pay a credit card bill. The 
customer then conducts a micro-deposit (example .20 cents). Once the 
micro-deposit is completed and the customer verifies it, the account 
holder can then easily transfer money to those accounts/entities. It 
is faster to transfer money this way from an E-Trade account and you 
can transfer larger sums of money. E-Trade customers, if they use a 
direct debit from their account, can only withdrawal around $2,000. 


One check of note that was drawn off of Lamo's account was for $5,000 

and made payable to The address the check was to_be sent b6 -5 
to was E-Trade believes| b7c -5 
may be Lamo's associate because he appears to be a computer security 

consultant, although they do not know for sure. E-Trade stopped 

payment on this check and the money was never sent to 


On June 3, 2013, E-Trade froze Lamo's account because of suspicious 
activity on it. bT7E -1 


E-Trade required Lamo to go to one of its physical locations 


and present identification, which he did. Lamo was in Washington, D.C. 
at the time, so he went to an E-Trade branch in Washington, D.C. and 
presented his U.S. Passport as identification. E-Trade copied Lamo's 
passport. The picture on Lamo's passport matches pictures of Lamo on 
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Title: (U) Unauthorized Computer Intrusion 


the Internet. Lamo also went to E-Trade's Arlington, Virginia branch 
and withdrew $550 on June 5. 


The address listed on Lamo's accounts is 11197 Drake Street, NW, Coon 
Rapids, Minnesota 55433. The phone numbers listed on Lamo's accounts 
are 202-370-7750 and 202-760-2333. Many of the calls Lamo made to 
E-Trade came from the 202-370-7750 number. 


sA____ requested that the E-Trade representatives save everything 
related to its investigation and Lamo's accounts including documents, 
computer files, and log files. 


Pre-Assessment Findings: 
SUMMARY : 


ETrade is headquartered in New York, NY. All servers and databases 
are hosted in ETrade's datacenter in Alpharetta, GA. The office in 
Menlo Park, CA is an administrative and security office. 


ETrade account balances under the name_ADRIAN LAMO were 
artificiall to $12 million b 


Potential loss of $12 
million was averted by canceling payments and reclaiming monies from 
transactions made by subject. Real loss is only $3,000 plus man hours 
of several investigative and forensic ETrade employees over several 


days. 


A note of interest is that LAMO has been convicted of computer 


intrusions in the past andi 
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Re: 07/31/2013 


INTERVIEW ON 08/06/2013 


(NOTE: This section can be submitted as an FD-302) 


Do Icorporate security 


Investigations, ETrade Financial, 4500 Bohannon Drive, Menlo Park 
California, 94025, e-mail 
was interviewed at her place of employment. 


ie 
Also present was be -2 


Corporate Security Investigations, ETrade Financial, phone number b7c -2 


participants in the interview via conference call were; 


ETrade Financial, Alpharetta, Georgia; 


Alpharetta, Georgia; and[ | 
Corporate Investigations, Alpharetta, Georgia. After 


all introductions were made,[_] provided the following information: 


LL Jprovidea some background information about ETrade. ETrade is 
headquartered in New York, New York. All servers and databases are 
hosted at their datacenter in Alpharetta, Georgia. The office in Menlo 
Park, California is housese several administration and security 
offices. There are three ways to open an ETrade account: online, call 
center, or submit paper via mail. 


On 07/26/2013, suspicious activity was found on an account after 
Amazon Corporation contacted ETrade customer service representative 
(CSR) to verify a check drawn on an ETrade account for $2,000 was 
sufficiently funded for payment to Amazon. The CSR verified with Amazon 
it was sufficiently funded but on closer inspection, the CSR noticed 
that in a span of a few days, the account’s balance increased from 
approximately $10,000 to approximately $12 Million dollars. As a 
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Title: U) Unauthorized Computer Intrusion 
Re: 07/31/2013 


result, the CSR flagged the account and forwarded the information to 


ETrade’s fraud department. 


The account holder of the flagged account was ADRIAN LAMO. LAMO had 
seven total ETrade accounts under his name: five were active banking 
accounts where two of these were used for checking; two were brokerage 
accounts that were in an inactive status. LAMO’s two checking accounts 
were the ones that recorded suspicious behavior. 
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Title: (U) Unauthorized Computer Intrusion 


bB7E -1 
to 

b6 -2 

b7c -2 

BIE -1 


LJ statea that on 7/24/2013, someone claiming to be LAMO responded 
to a request by ETrade to verify scheduled transactions to Western 
Union from his account. When the suspicious activity was detected on 
7/26/2013, LAMO’s accounts were frozen. ETrade found that transactions 
to 30 different accounts were scheduled to transfer funds from LAMO’s 
accounts. Some of the recipients were to be Bancorp, USAA, Western 
Union, and BitCoin. ETrade was able to stop and/or reverse most of the 
transactions with the exception of approximately $3000 which ETrade was 


not able to recover. 
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According to bE. -2 
b7c -2 
bIE -1 


b6 -2,5 
LAMO currently listed a Minnesota address for the accounts but BIC aae 


bIE -1 
the phone numbers were Washington, DC based. An additional event that 
occurred was a check made out tol —_—sdfor $5,000 drawn on 
LAMO’s account. ETrade canceled the payment on the check 


While looking back at other historical events in LAMO’s accounts, a 
temporary freeze was put on LAMO’s account on 06/03/2013 for an 


unrelated event 
b7E -1 


In order to unfreeze it, LAMO came in person to ETrade’s 
Washington, DC office and showed his passport photo to prove he made 
the transaction. This in-person record confirmed LAMO was the account 
holder. 


ETrade has all records of account transactions and log information 
and was compiling the information into a report to be provided to 
federal investigators. 
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Title: (U) Unauthorized Computer Intrusion 


Recommended Action: Open New Case 


Entities: 
Adrian Lamo (Main, Person, U.S. Person? Yes) 
Name/Biographical Information 
Name: Adrian Lamo 
Born: 02/20/1981 
Minor? No 
Has Diplomatic Status? No 
Location 


Address: 11197 Drake Street 
NW 


City: Coon Rapids 

State: MN 

Zip Code: 55433 

Country: United States 

Relationship: Unknown 

Comment: Address listed on Lamo's E-Trade account. 
Communication Account 1 

Type: Telephone 

Account: 202-370-7750 

Relationship: Utilizes 


Comment: Listed on Lamo's E-Trade account. Used by Lamo to call 
E-Trade. 


Communication Account 2 
Type: Telephone 
Account: 202-760-2333 


Relationship: Utilizes 


[____C=éd(i‘eferencee, Person, U.S. Person? Yes) b6 -5 


Location BIC 9 
Address: 
City: 
State: 
Country: United States 
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re: [7 Jo7/31/2013 


Relationship: Unknown 
Comment: Possible Lamo associate. 
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Details: 


As set forth re serial, a buccal swab (DNA) of Adrian Lamo was 
collected for Federal Convicted Offender (FCO) program per court order. 
Since 2010, writer has communicated with numerous FBI Laboratory 
personnel concerning the acceptability of this collection technique. 
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accepted and entered into the database. Enclosed 1A includes writer's bycuet 
notes, e-mail communications, and a copy of the court order regarding 


this issue. 
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MCGREGOR W. SCOTT 

United States Attorney 
HEIKO P. COPPOLA 

Assistant U.S. Attorney 

501 I Street, Suite 10-100 
Sacramento, California 95814 
Telephone: (916) 554-2770 


IN THE UNITED STATES DISTRICT COURT 


POR THE EASTERN DISTRICT OF CALIFORNIA 


UNITED STATES OF AMERICA, CASE NO. 2:05-CR-022 FCD 


) 
) 
Plaintiff, ) STIPULATION ANDORDER REGARDING 
) THE DEFENDANT'S SUBMISSION OF 
ve. ) DNA SAMPLES 
) 
ADRIAN LAMO, ) 
) 
Defendant . ) 
) 


The United States, by and through Assistant United States 
Attorney Heiko P. Coppola, and the defendant, by and through hi 
counsel, Assistant Federal Defender Mary French, enter into the 
following stipulation regarding the defendant's submission of 
DNA samples: 

1. A convicted felon such as the defendant, Adrian Lamo, 
required to submit to DNA testing. The collection method 
currently used by the Federal Bureau of Investigation (FBI) 
involves taking a blood sample. 

2. Mr. Lamo asserts that pursuant to his sincerely held 
religious beliefs, he is not able to provide a blood sample. 


/// 


FBI(19-cv-1495)-6177 


s 


is 


SO wm ND HW BR WN 


Case 2:05-cr-00022-FCD Document 19 Filed 06/22/07 Page 2 of 4 


3. In a recent case before Chief Judge David F. Levi, 


namely United States v. Elden Leroy Holmes, Case No. 2:02-CR-0349 


DFL, the Court addressed the issue of taking a DNA sample from an 
individual with a sincerely held religious belief against the 
drawing of blood. In that case, Judge Levi found that the 
government's requirement that the defendant submit his DNA sample 
through a blood sample imposed a substantial burden on his free 
exercise of religion in violation of the Religious Freedom 
Restoration Act ("RFRA"), 42 U.S.C. §§ 14132bb, et seq. 

4. In light of Judge Levi's finding in United States v. 
Elden Leroy Holmes, the undersigned prosecutor is not convinced 
that the government can demonstrate a compelling interest in 
collecting DNA through a blood sample rather than by a buccal 
sample, in the face of defendant Lamo’s assertion of a sincerely 
held religious belief against taking a blood sample. The 
government and the defendant agree that for the purpose of 
resolving this case, buccal samples will be collected from Mr. 
Lamo in lieu of providing a blood sample. 

5. Accordingly, the parties seek an order requiring Mr. Lamo 
to submit to buccal sample collection within 30 days - on a date 
to be arranged through his counsel, the prosecutor and the 
probation officer - by reporting to the United States Probation 
office in Sacramento, where eight (8) buccal swabs will be 
collected from Mr. Lamo by an authorized representative of the 
FBI, who will take custody of the swabs and make arrangements to 
have them transported to the FBI laboratory or its authorized 
representative. The eight samples will be taken to ensure that 


enough DNA material is collected to effectuate analysis and 
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storage of the DNA sample and to obviate the need to keep the 
violation petition open while the analysis and uploading to CoDIS 
takes place - a process that will not happen immediately. 

6. Additionally, the prosecutor will report to the Court, 
within five court days of Mr. Lamo’s submission of the samples, 
that he has done so. The prosecutor shall simultaneously submit 
a proposed order for dismissal of the violation petition. 

So stipulated. 


DATED: June 19, 2007 MCGREGOR W. SCOTT 
United States Attorney 


By s/ Heiko P. Coppola 
Heiko P. Coppola 
Assistant U.S. Attorney 


DATED: June 19, 2007 DANIEL A. BRODERICK 
Federal Defender 


By s/ Mary French 
Mary French 
Assistant Federal Defender 
Counsel for Defendant 
Signed per email authority by 
Heiko P. Coppola 


ORDER 

Mr. Lamo is ordered to submit to buccal sample collection by 
reporting, within 30 days of the issuance of this order - ona 
date to be arranged through his counsel, the prosecutor, and the 
probation officer - to the United States Probation Office in 
Sacramento, where eight (8) buccal samples will be collected from 
Mr. Lamo by an authorized representative of the FBI, who will 
take custody of the samples and make arrangements to have them 


M1 
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transported to the FBI laboratory or its authorized 


representative. 


The prosecutor is directed to report to the Court, within 


five court days of Mr. Lamo’s submission of the samples, that he 


has done so. The prosecutor shall simultaneously submit a 


proposed order for dismissal of the violation petition. 


The status conference set for June 25, 2007 is VACATED and 


RESET for Monday, July 30, 2007 at 10:00 a.m. If the dismissal 


of the petition is received prior to the status is will be 
vacated. 
IT IS SO ORDERED. 


DATED: June 21, 2007 
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US. Department of Justice 
Federal Bureau of Investigation 


Washington D.C. 20535-0001 


Fax Cover Sheet 


Date: 02/03/2014 Number of pages: 2 
(including cover sheet) 


| Phone: [| 
acramento m Fax: 
< 
4500 Orange Grove Ave Os ne 
Sacramento CA 85841 / fit Pe ty 


Subject: Sample Rejection Notification 


Messages / Comments: 


b6 -1 
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FBI Federal Convicted Offender (FCO) Sample Rejection Notification 


Date: 02/03/2014 
Attention: 
Facility/Office: FBi Sacramento 
Address: 4500 Orange Grove Ave 
Sacramento, CA 95844 b6 “1 


b7¢ -1 
Phone Number: bIE -9 
Fax Number 


Offender Information 


Name: LAMO, ADRIAN 

Kit Bar Code: 000155640 FINS#: 

Date of Collection: 6/28/2007 DOB: 2/20/1981 
FBI#: REF: 

SSN: 042746804 PACTS#: 

BOP#: POID#: 

ALIEN#: JABS#: 


This notice is to inform you that the DNA sample collected from this individual is being terminated due 
to the following reason: 


Blood tube or bloodstain cards missing from collection kit < 


Piease submit a new DNA collection kit for this individual to the Federal DNA Database Unit (FDDU) 
within thirty (30} days. The DNA sample was collected in accordance with federal legislation because 
of the serious nature of the crime with which this individual was associated. If a new sample is not 
collected, this individual will not have his/her DNA profile uploaded into the National DNA Index System 
(NDIS) and the profile will not be searched against the database of unknown DNA samples collected 
from unsolved crimes across the country. If the subject's federal supervision has been transferred to 
another facility, please provide the FDDU with the appropriate contact information. It is vital that this 
request for recollection be fulfilled. If you have questions regarding this notification, please contact the 
Federal DNA Database Unit at 703-632-7529 or via fax at 703-632-7620, 


sc) (FBI) 


From CO ise) ean 


Sent: Wedne: 01, 2010 11 57 AM 

To: FBI) 7 

Ce: SC) (FBI) cen Bg 
Subject: T Laboratory - Rejection Notification i 


| spoke wt{ Cite AUSA who was involved in this Here 1s what he told me 


in 2007, Lamo was under supervised release here in Sacramento The original offense was an FBI case in NY 
(Computer Crime} While on supervised release, Lamo was requested to provide blood for DNA submission to the FBI tab 
Lamo refused it went to court The court ordered a buccal swab FBi Laboratory officials had repeated calls to the US 
Attorney office in Sacramento about this 


tspoke with who was present for the buccal swab Here is what he told me 


Sacramento got an emai from FBI tab telling us to get the DNA by buccal swab We currently don’t have the 
original email from the lab and can’t recall the name of the person we dealt with Ail of our instructions came from the 
lab if we find any correspondence from the lab, we'll provide it to you b6 -1,4 
b7¢ -1,4 
There 1s court order on file relating to this It can be downloaded from PACER | asked the US Attorney office to 
provide me with a copy |am going to fax a copy to you once | receive it It’s not sealed or anything, so you can look It 
up on your end if youare inahurry Also, you might want to check the records on your end According t the 
conversations with the FBI lab were frequent and the lab was very involved in allthis Also, | believe the directions to 
collect the sample came directly from the lab 


lam afraid we don’t have anything more than what we put on the ec Based on the above, it seems that the 
information | had that the case was originally a DHS case was incorrect It might have been an FBI case in New York But 
| doubt they have any information relating to the DNA issue The maiter at the US Attorney office considered this a 
probation violation 


Also, sust so you are aware, It 1s In the news that Lamo wa: 


amo was on 
ased on the news reports, it was Lama 


Regarding the DONA kit, while i don’t have any recollection about why we used tt, | believe that everything we got 
came in the mail from the FBI lab 


b6 -5 
b7c -5 


Sent: Wednesday, December 01, 2010 6:05 AM bi7¢ -1 
T FBI) 

c LD) (FB) 

Subject: aboratory - Rejection Notification 
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| downloaded your transcript of the taking of the buccaf sample from the individual we discussed Is it possible to get a 


copy of the court order that directed this collection? We are going ta need to seek same guidance from our OGC and 
nn i be very helpful You can erther emait it to me on the low seq don fax it to 


b6 -1 
b7c -1 
Just to be sure | have the facts straight, can you tefl me if the following Is accurate bTE -9 


The individual was investigated by DHS/Border Patrol It was determined that for some reason, the individual needed to 
submit a DNA sample Numerous court hearing were held where the blood sample was denied, however, a buccal 
sample was approved for submission DHS was the lead in this, however, the court did not want DHS involved, so the 
FBI was ordered to collect the sample You guys collected the sample using a buccal collection kit supplied by DHS from 
the Missouri State Highway Patro! You utilized their buccal device and our FD-936 form and returned the kit to Missoun, 
however, the kit made its way to the FBI Laboratory 


Let me know if this is close Just want to be sure | have all the facts before | meet with our OGC 


| 


UNCLASSIFIED 
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TheNew York Gimes 


229 WEST 43 STREET 
NEW YORK, N.Y. 10036 


June 17, 2002 


Dear Special AgentL sd 


Enclosed is the CD with the databases that were affected by the Lamo hack incident. 


On it you will find a read-me file {also attached to this letter) pointing you to the following: 


if you have any further questions, please call me | . 
y ¥ q P bIE -1,2 
Regards, b7c -2 
Publishing Systems - 
ee b6é -2 
b7C -2 
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REIN IS UE “AS 


_ FEDERAL BUREAU OF INVESTIGATION BIC -1 


Precedence: ROUTINE . Date: 03/06/2002 
To: New York 


From: New York 
Squad C-37 


Drafted By: 


Case ID #: b7c -1 
b3 -2 
b7E -3 


Title: LAMO, ADRIAN 
Synopsis: Request to open sub-files and change of title. 


Details: Writer requests the following sub-files to be opened in 
above referenced case: 


Also, please open the following Sub files: 


b3 -2 
bTE -3 


Writer requests Title of Case be changed to : 


ADRIAN LAMO 

New York Times-Victim; 

Computer Intrusion-Information Systems 
CO:NY 


MAR 7 2002 


Fo} — KEW YORK 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 04/02/2002 


AOL, was telephonically contacted b6 -6 

by the interviewing agent. After being advised as to the identity p7c -6 

of the interviewing agent and the purpose of the interview, 
providea the following information: 


stated that ADRIAN LAMO was a former user of 

AOL. LAMO was a member of the forum regarding viruses and trojan 
horses monitored by AOL. To become a member of. the forum, LAMO was 
required to sign a non-disclosure agreement with AOL. LAMO was 
dismissed from the forum for violating the non-disclosure 

agreement. Since his dismissal, LAMO consistently attempts to bo -6 
exploit vulnerabilities in AOL's network. LAMO_has ties to 
(Protect Identity) 
when LAMO is 


resides in the 
area. LAMO has not attempted to contact AOL directl 
believes that 


testified in a trial in California. AMO was 


present to be called as an expert witness for the defense. When 
the judge, NAME UNKNOWN (UNM), was notified that LAMO was the 
subject of several investigations he did not allow h 


im_to testify. 
The Assistant District Attorney who had the case was b6 -5 


stated that the information regarding the bIC -5,6 
vulnerability in AOL's instant messenger and customer database was 
discovered when an individual notified them that LAMO told them 
about the vulnerability. 


b3 -2 
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Date of transcription 04/03/2002 


YAHOO, Legal Department, telephone [___] 
| was telephonically contacted by the interviewing agent. b6 -6 
After being advised as to the identities of the interviewing agents b7C -6 
and the purpose of the interview, CL **) previded the following 
information: 


is familiar with ADRIAN LAMO. In 2001, LAMO 
intruded into the YAHOO web-site and chan: tories 


LAMO entered the site 
YAHOO was contacted by 
informed them that LAMO had committed the intrusion. 


believes that YAHOO was provided with screen captures by LAMO 
proving that he intruded into their system. 


[___|statea that he is currently not aware of the 
names of the individuals who had contact wice[ “Tan sas buys 5.6 


would provide this information at a future date furthe 3. £ 6 
stated that YAHOO conducted an investigation into the LAMO “4 
intrusion and YAHOO sustained damages because of the intrusion.” 
REIN IS UNCLAS! 
Qg-27-s010 b3 -2 
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Investigation on 04/02/2002 at New York, NY (telephonicaily) p7c -1 
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CAH:cah b7C -1 
bB°S2 
On April 2, 2002, sal —Ctccated a video clip of an interview conducted ,7p ~3 
by Tech Live with ADRIAN LAMO. The interview was conducted on Friday, March 8, 2002 at 
9:00 PM EST. 


A copy of the video clip will be maintained in the file. 
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Hacker? Or Security Crusader? 


See why Adrian Lamo wants to camp out on your corporate intranet, 
Friday 3/8 at 9 p.m. Eastern on ‘Tech Live.’ 


By David Stevenson, Tech Live & Printer-friendly format 


Email this story 


You can spot Adrian Lamo in your 
neighborhood Kinko's copy shop. 
He's the young man with the Hacker warns 
battered Toshiba laptop, intently companies about 
searching for holes in the Web. ‘security holes 


Video Highlight 


Lamo says he's homeless, “couch surfing" with 

friends while he works as a freelance security consultant. The 21-year-old 
says he's helping corporations and consumers understand the limits of 
internet security. But his methods are alarming media giants. 


In the last two years, Lamo has allegedly penetrated the intranets and 
archives of America Online, Yahoo!, Excite@Home, WorldCom, and, most 
recently, The New York Times -- where he accessed and added his name to 
an internal list of op-ed contributors. 


Lamo says he's not worried about the legality of what he's doing. 


“I know that prosecution can happen but | try not to let my actions be guided 
by fear," he said. 


Instead, Lamo claims to be guided by a sense of curiosity that prods him to 
explore the limits of online security. He doesn't try to charge companies to 
help them fix the holes he finds, a fact that may have discouraged 
prosecution by Yahoo!, Excite@Home, and WorldCom. 


Bill orn socurit ADVERTISEMENT, 
network Security = 
experts say he's @ BUSINESS INFRASTRUCTURE 


little more than a 
publicity-seeking 
criminal. 
Frederick Felman, 
vice president of 
marketing at Zone 
Labs, a security~ 
software maker, 
shares that 
opinion. 


“If he... goes 
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through the data; 
if he finds some 
piece of paper or 
some electronic 
document and 
fooks af it, | think >> Click for IBM's latest integration white paper. 
itis, in fact, a 
crime,” Felman 
said. 


The New York Times may be inclined to agree. A representative told TechTV 
ihe company is “exploring all options” in determining how it will handle what it 
considers a security breach. 


Even Lamo admits he's breaking federal computer crime laws. 


“I'm accessing their network without authorization. So | am an intruder. From 
there on, it's pretty subjective," Lamo said. 


But his ultimate aim is to help, Lamo said. He said he plans to keep using fhe 
tools available to him fo test the limits of technology. 


"Tech Live” airs weekdays at S$ a.m., 4p.m., 9 p.m., and 12 a.m. Eastern. 


Related Articles 


- Exploring the Ethics of Hacking 
+ Should You Fear Hackers? 
- So You Wanna Be a Hacker 


goin TechTV Member Services Site Help AboutUs ContactUs Jobs TechTV International 


Copyright © 2002 TechTV Inc. All rights reserved. 
Use of Techtv.com is subject to certain terms ang conditions. We respect your privacy. 
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The attached email was received fom[_——————S—S—S—SCSCSCSCSUTHEE NEW YORK 


TIMES, email address|_SSSCSCSCS~C*id garding, the unauthorized intrusion of their 
intranet by ADRIAN LAMO. 
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aSith ; with a Free Job Agent 


Nod gonail Home| ‘Inbox ie ‘compose ‘hadress Book ] Options Help 


Save Address(es) || Block | Previous Next | Close 


From! 

To: 

CC: 

Subject : Screenshot articles, video clip of Lamo 
Date : Tue, 26 Mar 2002 17:50:16 -0500 


Reply| [Reply All| [Forward | [Delete | [Put in Folder... Fv Printer Friendly Version 


LC] 


Nice to meet you today, Here are the two articles/outlets that mentioned 
they had received screenshots from Lamo: 


i. MSNBC.com article by Bob Sullivan on 2/27/02: “N.¥. Times source 
database hacked" 
http: //www.msnbe. com/news/716753.asp?cpi=1 


Lamo suppoxted his claims with a variety of screen shots sent to MSNBC.com. 
The images show lists names from what appear to be internal New York Times 
databases. Lamo was even able to add his name and phone number to a 
database of experts used by Times’ reporters. 


2. Newsbytes article by Brian Krebs on 2/26/02: "New York Times Intranet, 
Source Database Hacked * 

http: //www. newsbytes. com/news/02/174792.html (Newsbytes is a Washington 
Post Web site} 


According to screenshots obtained by Newsbytes, the Times' own “Everyone, 
Everywhere" newsroom contact database was also available via the corporate 
Intranet. 


And fyi: I've i i i evin 
Poulsen; 


Also, TechTV has posted a video clip of their interview with Lamo. It 
includes some interesting footage including screenshots of the NYTimes.cdm 
Op-Ed section. 


Hackex? Or Security Crusader? 


See why Adrian Lamo wants to camp out on your corporate intranet 
http: //www. techtv. com/news/security/storv/0, 24195, 3375387, 00. html 
click on "video highlight:" Hacker warns companies about security holes 
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Hotmail Message e@ e@ 


Panel. Debates Hacker Amnesty . . 
Should hack-and-tell intruders who warn companies about security holes do 
time with hardened criminals? Security experts probe the ethics of hacking. 


By Kevin Poulsen 
Mar 25 2002 6:30PM PT 
http: //online. Securityfocus. com/news/358 


But one month after Lamo notified the New. York Times of its 
vulnerabilities through a SecurityFocus Online reporter, the Times 
intrusion remains a sword of Damoclies suspended over the hacker's head. 
The paper hasn't sought Lamo's assistance, and isn't thanking him for the 
attention. "We're still investigating and exploring all of the options,” 
said spokesperson Christine Mohan on Monday. Asked if the Times is 
contemplating filing a criminal complaint with the FBI, Mohan added, “That 
is one of the options.” 
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New York Times Intranet, Source Database Hacked My 
By Brian Krebs, Newsbytes please ches Fre 
WASHINGTON, D.C., U.S.A., “a ‘E-Mall This Article ; sion 
26 Feb 2002, 7:52 PM CST iE Printer-Friendly Version 

The New York Times‘ corporate Intranet and Web-based applications that =-——___— 

handle everything from payroll accounts to the newsrooms source TheNavdfork 
database were penetrated by a freelance security researcher this week Tes 


using nothing more than a Web browser, Newsbytes has learned. 


The discovery was made by 21-year-old Adrian Lamo, a white-hat hacker known for 
tracking down and alerting Fortune 500 companies that employ lackluster or non- 
existent security measures on their Web sites. 


The internal Web site included pages with v advortisemant 
detailed instructions for stringers and : 

correspondents on how to file from the B 4 

field, complete with dial-in modem ra n: 

numbers and accounts. The intranet also N 

lists each Times employee's contact 0 ney. 


information, as well as their Social Pp 
Security numbers, owe 
What more could yaoi 


According to screenshots obtained by Want is pes i 
Newsbytes, the Times' own “Everyone, Reach Washington's top 
Everywhere" newsroom contact database visionaries, onlina and in p 
was also available via the corporate 
Intranet. The database céntains phone 
numbers and contact information for such 
household names such as Yogi Berra, 
Warren Beatty, and Robert Redford, as 
well as high-profile political figures - a 
including Palestinian leader Yassir Arafat and Secretary of State Colin Powell. 


The source database also contains Social Security numbers for all of the Times’ guest op- 
ed writers, including Democratic operative James Carville and Internet policy guru 
Lawrence Lessig. Also spotted in the file were entries for William F. Buckley Jr., Rush 
Limbaugh, Microsoft founder Bill Gates, and New York Mayor Michael Bloomberg. 


In September 1998, a hacker group known as "Hacking for Girlies" broke into the New 
York Times Web site, replacing the main page with its insignia and a lengthy diatribe 
against New York Times technology columnist John Markoff for his book *Takedown," 
which the group said painted an inaccurate picture of hacker icon Kevin Mitnick. 


The New York Times subsequently moved the servers for its public Web sites to a more 


hitp://www.newsbytes.com/news/02/ 174792.html FRI6{98421495)-6427 
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secure Internet address block. 


But the company left many Web pages created for use by employees and field reporters 
open to just about anyone curious enough to look for them, Lamo said. 


Times spokeswoman Christine Mohan confirmed that the company is "actively 
investigating a potential security breach. 


“The New York Times Company takes the security of its network very seriously," Mohan 
said. "Based on the results of this investigation, we will take appropriate steps if 
necessary to ensure the security of our network.” 


Lamo located the internal network after querying publicly accessible Internet address 
records for mail servers on the New York Times'address space, armed with the 
knowledge that e-mail is often processed by the same systems and networks that 
manage a corporation's firewall. 


Lamo gained access to the network using Web proxies located on the network. Proxies 
are machines that allows users to route through - or into - networks, often skirting past 
firewalls. The whole process from search to discovery took less than two minutes. 


“It struck me as being a part of their network more likely to be placed in a trusted 
location," he said. "Ironically, it wasn't until I mistyped a URL that I found what I was 
looking for - the error message invited me to ‘try the main New York Times intranet site’ 
instead." 


The Times' corporate intranet also allows users to access other sensitive areas, including 
the company's human resources department, as well as tools used to submit 
advertisements that accompany stories in the daily paper and the New York Times Web 


site, http://www.nytimes.com . 


The discovery highlights just how susceptible the Internet can be as a tool for spreading 
misinformation. Lamo said had he been so inclined, he probably would have been able to 
figure out how to successfully submit a small news item or advertisement for publication. 


Days after the Sept. 11 attacks, Lamo used a proxy on the Yahoo network to add 
satirical comment to a story on the company's Web site about Russian programmer 
Dmitry Sklyarov, a stunt that raised public concern about the integrity of online media. 


Last week, Lamo alerted SBC Communications that several of its Web pages containing 
tens of thousands of subscriber user names and passwords were exposed to the Web and 
completely unprotected. . 


In December, Lamo discovered an Internet-accessible Web tool that provided easy 
access to the keys to private network routers for dozens of companies, including AOL 
Time Warner, Bank of America, Citicorp, Fox News Corp., JP Morgan, McDonalds, and 
Sun Microsystems - to name just a few. 


When asked why he does what he does, Lamo is noncommittal and somewhat cagey, 
downplaying his penchant for seeing things in ways that often go unnoticed by most. 


That didn't stop him, however, from quietly adding his name to the newsroom's source 
list as an expert on computer hacking. 
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“I'm not trying to bring about any sort of specific change anywhere by what I do ~ but in 
doing what I do, acting in good faith doesn't seem like a bad thing, and hoping that 
someone in a similar situation in some undefined future might have options that aren’t 
all a downwards spiral doesn't seem unreasonable either," Lamo said. “It would be nice.” 
Reported by Newsbytes.com, http://www.newsbytes.com 
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The attached email was received fronf___—=——«(T HE. NEW YORK TIMES, 
regarding the unauthorized intrusion of ADRIAN LAMO into THE NEW 
YORK TIMES' intranet. While gaining unauthorized access of the intranet, LAMO was able to 
set up several userids and passwords for Lexis-Nexus service. THE NEW YORK TIMES pays 
one flat fee for Lexis-Nexus service but noticed that 18% of their searches were performed by 
these user accounts and the accounts were access from KINKO's stores in California. 
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Upgrade 

Email O1 

Thanks, Shop AT 
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X-Sendery 


X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 
: Tue, 12 Mar 2002 17:15:20 -0500 


v{____] 
X-Mailer: indows Cudora Version 4.3.2 


Date: Tue, 12 Mar 2002 15:48:21 -0500 


el bre -2, 
From; bIC -2,2 
Subject: Nexis - compromised passwords - Adrian Tamo? ’ 3 
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It appears that we have at least two compromised Nexis passwords that I 
have asked Nexis to delete. 


L 
Account) 
User: 


DC] 
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7 Lexis-Nous =» (937) 2us-~ 800 
secre 


Account: BIG? =253 
User} 


Together these two passwords had roughly 18% of the total Times company 
use in February. J uncovered them in a basic scan of usage totais in Nexis to see 
who was using the service, : 


Today I spoke td ——S—id and about the situation. 

says that Nexis was able to identify a couple of the IP addresses from which 

these passwords were used. One was a Kinko's in Oxnard, Ca, another was in the 
Sacramento ValleyL___|didn’t go into the details but he said that his security folks 

Ye suggested that it might be the hacker, Adrian Lamo, who broke into the Times a 


coupte of weeks ago. 


Since The Times pays a fixed monthly fee to Nexis, this incident did not cost 
the company anything. 

We don’t know how many passwords have been compromised, It appears 
possible that he created his cwn logins via our registration page but that he had no 
access to our list of Nexis users and their passwords, which is not kept anywhere 
internally. We'll be doing more checks with Nexis to see if any other passwords: 1. \ ars al 
have excessive use; 2. were created at the same time; or 3. originated from the _. 4\ gO Contact 
same IP address. And we'll delete them. 


I'd like to talk about what other steps we should be taking. Ober ~ LS 
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Date of transcription 03/26/2002 


Legal Counsel, EXITE@HOME, telephone number 
was telephonically contacted by the interviewing 
agent. @r being advised as to the i of the interviewing 


dentit 
agent and the purpose of the interview, [| provided the 
following information: b6 -5,6 


t 
is familiar with the computer intrusion of b7C -5,6 
EXCITE@HOME committed by ADRIAN LAMO. Unfortunately, EXCITE@HOME 


filed for bankruptcy and stopped operating in_February 2002. 
(stated that there are two individuals 
Flat com. 0 ca 

(and com) would have the 


information regarding the investigation of the computer intrusion 
by LAMO. 


| stated that the computer intrusion of LAMO is not 
the reason that EXCITE@HOME has collapsed. 


Investigation on 03/25/2002 at New York, NY {telephonically} b3 -2 
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Date of transcription 06/02/2002 


Lexis-Nexus, telephone number 
was telephonically contacted by the interviewing agent. After 
being advised as to the identity of the interviewing agent and the . - 
purpose of the tabenriew [= [proviaee the following bo -6 
information: b7C -6 


is aware of the unauthorized computer_intrusion by 
ADRIAN LAMO into the NEW YORK TIMES! (TIMES) network. stated 
that during the time LAMO had access to the TIMES’ networ several 
userids/passwords were created under the TIMES account. 
stated that the userids/password were accessed from two (2) KINKO's 
stores in California. 
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regarding whether or not she received screen captures from ADRIAN LAMO or any other DIE -3 


individuals or entities from LAMO's unauthorized access into their network. 
commented that they did not received screen captures from LAMO but LAMO did provide 
screen captures to MSNBC.com and THE WASHINGTON POST. 
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The attached document and CD-Rom were received ftom[________—_—| The New York b7c - 1 2 


T imsl sd Publishing Sytems regarding the computer intrusion of the intranet by },3 _9 ‘ 
ADRIAN LAMO. The CD-Rom contains the original database, altered database and log files DIE -3 
pertaining to the computer intrusion. " 
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Writer discovered the attached articles pertaining to ADRIAN LAMO while searching on 

securityfocus.com. The articles stated that LAMO utlizing a Kinko's store hacked into NBC's 
internal network while being videotaped by a NBC news crew. The story was fo air on NBC's 
Nightly News with Tom Brokaw but was pulled due to the legality of it. 
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BEREIN I Bug Triad 
Lamo Bumped from NBC After Hacking Them =S7E ‘2-2 Whacks be -1 
Microsoft bic -1 
The helpful hacker demonstrates his techniques on camera for the NBC Nightly News, but Browser 
lawyers kill the story when he cracks the broadcast network's own systems. Sep 04, 
By Kevin Poulsen, Aug 27 2002 2:24PM 2002 
b Sprint 
How did a mediagenic hacker like Adrian Lamo get himself bumped fast week from a Security 
scheduled appearance on the NBC Nightly News with Tom Brokaw? Faulted in 
Vegas 
Perhaps with his impromptu on-camera intrusion into the peacock network's own computers. Hacks 
Aug 19, 
The vagabond hacker known for his drifter lifestyle and his public forays into large and 2002 
poorly-secured corporate intranets sat down at a Washington D.C. Kinko's laptop station ‘Creative 
earlier this month with a freelance NBC news producer to show-off his particular style of Attacks! 
hacking -- the 21-year-old typically uses little more than an ordinary browser, possessing an Beat Crypto 
eerie knack for finding undocumented Web servers and open proxies at large organizations. -- Expert 
Aug 09, 
That method has gotten Lamo deep into the electronic infrastructures of such companies as 2002 
troubled telecom giant Worldcom, Internet portal Yahoo, and most recently the New York : 
Times, where last February he exploited lax security to tap a database of 3,000 Times op-ed seeetes 
contributors, culling such tidbits of information as Robert Redford‘s social-security number, Unproven, 
and former president Jimmy Carter's home phone number. But unlike most intruders, Lamo Hard To 
eventually goes public with his discoveries, and offers to help those he's hacked tighten their — Test 
security pro bono -- an offer that's been accepted by several of his corporate targets. So far Aug 07, 
Lamo's managed to avoid prosecution, though federal officials in New York are believed to be 2002 
investigating him for the Times hack. : 
archive} 
r 
"Maybe they-should Have: Lamo says NBC was taping him at Kinko's while he demonstrated 
Just talked to the security holes in a telecommunications company's systems, when 
lawyers first... Alittle the interviewer asked him if he'd be successful hacking NBC. FROM 
front end work to s THE 
5 . . + A WIRES 
identify the pitfalls Five minutes and one guessed 
would have made ita password later and Lamo was Computer 
good story." surfing the Elon network's Security 
‘ - private messaging system and an Standards 
~~ Joumalism ethicist affiliate scheduling application that Ready 
Kelly McBride included internal memes and Sep 05, 
information on advertising rates. fiadan pee mia hacking 2002 
Screen shots of the hack provided by Lamo and reviewed by with att ordinary Wab bravtser. MS patches 
SecurityFocus Online include a page from an NBC vendor database with the Network's : bagus _ : 
trademark “living color” peacock and the warning, “All information contained on this Web site “certificate 
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is to be held in the strictest confidence," in all capital letters. "It was a very full service hote on NT. 


v 

system," recalls Lamo. gigolo xP 
a Sep 05, 

The videotaped intrusion was rushed onto the NBC Nightly News schedule, where it was slated 2002 


to run fast Thursday. But it was abruptly yanked off the schedule at the last minute. NBC 

News’ spokesperson didn't return repeated phone cails on the segment, but a source close to Taking 
the production, speaking on condition of anonymity, says network lawyers pulled the plug on Security 
the Lamo package out of concern that NBC might have acted improperly in filming the hacker Concerns 


committing computer crimes for the sake of the camera. nae: 
Legal Pitfatis? y advertisement Appeals to 
The hacker says he wasn't coerced Sep 05, 
into doing anything illegal, and that 2002 
he'd have likely wound up at the 
same Kinko's cracking corporate Venezuela 
networks even without the camera stiminates 
crew -- an assertion that few who've oetware 
met Lamo would dispute. But former piracy 
federal computer crime prosecutor Sep 03, 
Matt Yarbrough, now an attorney 2002 
with Fish & Richardson, says NBC's 

[archive] 


barristers did the right thing anyway, 
given broad federal conspiracy and 
computer crime laws. "If I was their 
lawyer, I'd be concerned if they were 
sitting there filming it," says 
Yarbrough. But the attorney adds 
that spiking the story may not 
entirely solve the problem. 
“Arguably, the crime has already 
taken place whether they air it or 
not.” 


It's not entirely clear what that crime would be. Other journalists (including this reporter) have 
observed lawbreaking for the purpose of reporting on it, and Lamo's intrusion into NBC's 
systems may not have been illegal to begin with, since the producer arguably gave Lamo 
permission to proceed. As for the telecom company, “It's not aiding and abetting a crime just 
because you had an appointment to get together and be showri,” says Jennifer Granick, 
director of the Center for Internet and Society at Stanford Law School. "Apparently, he already 
has access to these systems, so it was something he was able to do, and was inclined to do, 
and the reporter was just watching... Being witness to somebody else breaking the law is not 
itself a violation.” 


But Kelly McBride, an ethics instructor at the Poynter Institute, a journalism research center, 
calls the taping “bordertine lawbreaking," and says NBC News should have checked with their 
legal department before shooting, and found another way to tell the story if necessary. 


“If the journalistic motivation is to show the public how easy it is or how vulnerable we ail 
are... it's a good story and it's one of holding powerful people accountable," says McBride. 


“Maybe they should have just talked to the lawyers first. It's not Iike this is so urgent that 


FBI(19-cv-1495)-6443 


7 SecutityFoous HOME News: @ Bumped from NBC After Hacking eo 


they have to get it on the air, it's not the Pentagon Papers. ... A little front end work to 


identify the pitfalls would have made it a good story.” 


For his part, Lamo, who's not known for shrinking from controversy, charges the network 


with a failure of courage. “I can understand where they're comi: 
telephone interview from somewhere on the East Coast. “But 
I'd take more of a risk.” 
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Lamo takes a morally ambiguous stance on his nisnuss THs aRvicte Sl 
hacking, but others don't uRHE YO Aa enon as 


By George V. Hulme 


Meet Adrian Lamo. At 21 years old, Lamo is clean-cut and soft-spoken, his 
deliberate speech marked by a slight stutter. A short, thinly built, former 
vegetarian, he takes a seat facing the door at the South Street Diner in 
Philade'phia, picking at his chicken Caesar salad and keenly eying his 
surroundings as he explains why and how he does what he does. And that's hack 
into a business’ network, alert the company to his actions, offer to help fix the 
problem for free, and, once the holes are patched, go public with the breach. 


Why he does this is a little less clear. "I've never made an argument that there's 
any particular right or moral principle that makes the exploration of private 
domains OX," he says. "I'm not saying it's right, It's what f do.” 


That moral ambiguity belies the zeal Lamo brings to his mission. “I challenge 
[others] to find another way to get companies to take these issues seriously,” he 
says. "To get AOL to admit to a widespread security problem isn't going to happen 
based on a few phone calls." Two years ago, Lamo published on the Internet 
details about how hackers were taking advantage of a flaw in America Online's 
AIM registration server to hijack Instant Messenger accounts. 


Lamo’s mission has led him to expose computer security flaws at companies such 
as Microsoft, The New York Times, WorldCom, Yahoo, and the now-defunct 
Excite@home. To publicize his work, he’s often tapped ex-hacker-turned-journalist 
Kevin Poulsen as his go-between: Poulsen contacts the hacked company, alerts it 
to the break-in, offers Lamo's cooperation, then reports the hack on the 
SecurityFocus Online Web site, where he's a news editor. 


Lamo may be the most controversial hacker since Kevin Mitnick, who gained fame 
in the mid-'90s by breaking into the computer systems of high-tech companies and 
stealing proprietary software code. To the extent that Lamo brings a moral 
justification to his actions--and that people buy into that argument-he may be 
even more dangerous. 


Lame claims he never intentionally interrupts 
service, and he doesn't sell, distribute, or destroy 
the data he accesses. “Destroying data is near 
sacrilege~it's like burning the last known copy of 
the Bible," he says. Still, unlawful entry into a 
private network is a misdemeanor. And if it could 
be proved that his digital trespassing caused 
$5,000 or more in damage to a company, even 
unintentionally, Lamo coutd face felony charges, 
says Mark Rasch, former head of the Justice 
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the number of U.S. companies reporting downtime — Lamo challenges others to 


telated to security breaches or espionage, find another way to get 
according to InformationWeek Research's annual companies to take security 
Global Information Security Survey (see story, p. seriously. 


36), and the threat of cyberterrorism greater than 

ever, many business-technology managers and security experts have litte 
tolerance for Lamo’s tactics, even if they do raise awareness about lax corporate 
security. 


“If you're not invited, you shouldn't be there," says Diane Bunch, VP of [S af the 
Tennessee Valley Authority, who believes legislation against hacking and 
prosecution of hackers needs to be tougher. “It's like my house--if | didn't invite 
you tn off the street, | don’t expect to see you there," she says. 


Bruce Schneier, founder and chief technology officer of managed security services 
provider Counterpane Internet Security Inc., says he isn't impressed by the 
hacking-fo-build-awareness argument. "It’s like committing arson to build forest-fire 
awareness," Schneier says. "There are other ways to build awareness.” 


Executives at The New York Times, which was victimized by Lamo in February, 
wouid likely agree. The media company said last week it hasn’t ruled out asking 
law enforcement to press charges against the hacker. “We're still exploring our 
options, and discussions with the authorities is one of those options," a 
spokeswoman says. 


Lamo accessed a database holding the personal information of 3,000 New York 
Times employees, as well as that of big-name editorial contributors such as Jimmy 
Carter and Robert Redford. He says he surfed in from the Web, scanned the 
Times’ internal network, and found as many as eight open proxy servers. By 
viewing header information in an auto-reply E-mail, he found references to servers 
on the internal network and was able to hack inte the database, logging himself on 
as an administrative assistant. 


Lamo claims he breaks into companies' networks using only an old Toshiba 
notebook that's missing seven keys, a Web browser, and rented network 
sonnections at Intemet cafes or copy shops. 


Born in Massachusetts, Lamo moved around quite a bit growing up; he lived in 
Connecticut, Virginia, California, and even spent a few years in Colombia. Lamo 
dropped out of high school (he has a GED), and his computer skills are largely 
self-taught, beginning with peeking into the code of the role-playing adventure 
games he ran on his Commodore 64 computer. Lamo says he's homeless, and 
spends his nights on friends' couches or squatting in abandoned buildings. He 
fravels on foot or by Greyhound bus because "it's the last form of public 
transportation that doesn't require a photo ID." He earns money from odd jobs, he 
says: When you "don't have rent or a car payment, you don’t need much money to 
survive." 


Lamo contends that, from an IT standpoint, many companies ignore their most 
vulnerable points. Companies that patch only known software vulnerabilities, then 
simply scan their applications and networks for potential security holes, are 
missing the bigger picture, he says. "They think if you have no known ‘exploits’ on 
your systems, they're secure," he says. “They're not. None of the intrusions I've 
been behind had anything to do with what would be called a known [software] 
exploit or vulnerability. I's more nebulous.” 


His break-in at troubled telecom vendor WorldCom in December, accomplished by 
way of several misconfigured proxy servers, is an example. Companies establish 
proxy servers to let employees access the Internet. When set up properly, they're 
one-way streets. But proxy servers are easy te misconfigure, and many are 
brought online in open mode, letting outsiders connect to the network while hiding 
their point of origin. 


Silence Prevails Once past a company's proxy servers and 
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perimeter defenses, Lamo says, he's able 
fo escape the notice of intrusion-detection systems. IDSs often have preconfigured 
definitions of anomalous activity, such as malformed packets and certain systems 
requests. "But when you have someone sitting at a Web browser looking at things 
the way an employee would ook at them, that's not something that can be picked 
up by the IDS," Lamo says. “The IDS can’t see a person's intent.” With WorldCom, 
Lamo says he was able to view the names and Social Security numbers of 
thousands of its employees, as well as potentially cut services t¢ most of the 
telecommunication provider's customers, 


What Lamo did is “no different than showing up at a company wearing a UPS. 
uniform,” says Counterpane's Schneier. "Of course you're trusted." Companies 
that monitor only their front doors are prime targets for such attacks, Schneier 
says. 


After the break-in became known, a WorldCom spokeswoman said the company 
appreciated Lamo's drawing its attention to the problem and the help he gave the 
company one weekend to fix the flaws. A spokeswoman reached last week 
wouldn't comment further. Poulsen says that, like WorldCom, officiats at 
Excite@home also “expressed gratitude for Adrian." 


At least one business-technology manager says there are worse things than fo 
have a hacker such as Lamo break into his network. If someone “points out 
security holes and doesn't do any damage, I'd rather that happen than [the holes] 
be discovered by a competitor or terrorist," says the chief security officer at a 
Midwest consumer-goods manufacturer. "I could live without the media attention, 
but I'd personally be hard-pressed to call the police.” 


Despite the talk by The New York Times of possibly going to authorities, no 
charges have been filed against Lamo for any of the incidents, Indeed, few 
companies are interested in seriously investigating computer breaches internally, 
says former federal prosecutor Mitch Dembin, who litigated a number of computer 
and high-tech crimes and now heads IT forensics company EvidentData inc. “My 
experience has been that unless the hackers do obvious damage, [companies] 
won't do anything," he says. “They patch and secure the holes and move on.” It 
can take weeks and cost hundreds of thousands of dollars for an IT forensics 
company to determine the extent of a breach, put compromised systems through 
an extensive analysis, patch and close security holes, and conduct follow-up 
penetration tests. 


The costs of taking a hacker to court can be even greater, including the negative 
publicity and the very real threat of hacker retaliation. Former FBI cybercrime 
investigator Charles Neal, now VP of managed security services at Exodus, a 
Cable & Wireless unit, says that only 3% to 5% of the companies he works with 
during investigations choose to contact law enforcement. Only 18% of the U.S. 
businesses surveyed for InformationWeek Research's new security survey say 
they notify government authorities after a breach. 


The flip side of this moral equation may be that by not prosecuting Lamo, or 
hackers like him, companies are perpetuating the cycle and keeping the business 
community in general at risk. “It's a business decision,” says EvidentData's 
Dembin. "It's not based on civic-mindedness." One security executive sees it as a 
resource issue, "We may react by getting the FBI involved and eat up vast 
quantities of internal and federal law-enforcement and forensic resources," says 
the chief information security officer at a large midwest utility. "That's resources 
taken away that could be used to investigate other serious threats against the 
infrastructure." 


Lamo contends that the threat of prosecution isn't going to make hackers go away. 
Some may be deterred, just as some will be deterred by companies’ technical 
countermeasures. But “you can never eliminate the threat entirely," he says. He 
adds that companies may want to consider being tolerant of actions that may 
ultimately help them achieve better security. “There's no point in overtly ignoring 


‘one oF thé ways you can reduce” security threats, Lamo says, “just because you 
might embarrass your company from time to time.” 
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